Domain-Joined PC Network Cards will no longer, or will only intermittently, join the Domain Network when identifying Network Connections from Inside network

Question

The network topology is like this: Router as Internet Gateway>Switch>Wired to Server and PC's, SIP phones, and Wireless Access Point all on same subnet. DNS and DHCP have been offloaded to Server Roles and switched off on the router.

All of the PCs have network cards that have joined the domain network at least some of the time since I set them up.

Some of them have always picked up the domain network and continue to this day.

Some of them intermittently pick up the domain network and other times join whatever other unmanaged network is available.

Some of them have stopped picking up the domain network altogether and will, no matter how many times their NICs are restarted, always join a non-domain (unmanaged) network.

When the NICs are not joining the domain, they are unable to ping hostnames of any devices on the network but nslookup of the hostnames usually works. The DC, DNS, DHCP server's IP can be pinged without issue, ipv4 or ipv6.

I am recording DNS Client Errors (ID 1014) on all of the PCs during the intervals when their NICs are identifying which network to join.

-On the PCs that are catching the domain network I am only getting a single error about the root domain, eg the domain is ad.domain.com and I am only getting errors about how the configured DNS servers cannot resolve domain.com (nothing with fully qualified
domain names, eg server.ad.domain.com).

-On the PCs that are not catching the domain network I get a few different instances of the same error (substituted "domain" for my root domain name):

1) Name resolution for the name WPAD.ad.domain.com timed out after none of the configured DNS servers responded.

2) Name resolution for the name <DC-DNS-DHCPSERVERNAME>.ad.domain.com timed out after none of the configured DNS servers responded.

3) Name resolution for the name _LDAP._TCP.DC._MSDCS.ad.domain.com timed out after none of the configured DNS servers responded.

4) Name resolution for the name ISATAP.ad.domain.com timed out after none of the configured DNS servers responded.

Based on what I've read about NLA service choosing the domain to log into, I believe this 3rd error is the big one, although I guess the big error is that my configured DNS servers are not responding (except to NSLookups?)

From what I understand the Network Location Awareness Service Provider, will, roughly, do the following, look into the registry to see if there is an entry for a domain network to join, and if there is, it will attempt to contact the domain controller of
the same domain name. If it is successful with both parts it will join the domain network named "ad.domain.com". If not it will fall back to one of the other options, ie home, private, public "whatever its called network".

I have tried many of the fixes presented for similar issues but I haven't found anything that's worked.

A few things I have tried while cycling my NICs on and off to test:

-turned off the firewall

-poked holes in the firewall for TCP/UDP port 389

-poked holes in the firewall for TCP/UDP port 88

-ipconfig /flushdns, ipconfig /registerdns

-netsh int ip reset

-netsh reset Winsock catalog and restarted

-route /f and restarted

-turned off DHCP Client Service

-restarted DHCP client Service

-turned off IPV6 on NICs

-hard-coded DNS servers, IPV4 and 6

-hard-coded static IPs and DNS Servers, only IPV4

-sfc /scannow to scan for integrity violations

All of these and also some combinations of these and more that I can't remember.

One more piece of info: I have been doing all of this remotely so there are always at least two NICs up (so I can stay connected and in control via the other), one LAN and one WLAN but that is true for all PCs including the ones who are joined to the domain.

Another Consideration: I am running a Direct Access Server as a VM on the server, I am pretty sure I've got the Network Location Server working correctly as all pcs are able to access network resources and some of them as a part of the domain network but
I guess it's better to include this than to leave it out.

Answers

Please first try my suggestions as I mentioned in my last post. After that, since you mentioned you have a DHCP IPv6 server, you could try to disable the IPV6 in the server to test the issue if it doesn't affect your network.

Good luck to fix it.

Best Regards

Simon

Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

All replies

Considering your network is a little complicated, I would like to confirm some questions with you.

1. Does the issued PC get the right IP address under your subnet?

2. Could you please upload your network topology picture since you have several domain controller? We need to know the more information about the location of router, switch and server.

Before we know that, we suggest you first find a issued machine for test. Please download the latest network adapter driver version from the official website for the machine and reinstall it.

If it doesn't work, we suggest you could restart the service called "Network Location Awareness" in "Services" to test the issue. If it doesn't work, let the test machine quit the domain and then join the domain again to check it.
If it works, we consider the network is not stable.

If it doesn't work, we consider the issue may be caused by the DNS server since you could ping IP successfully but hostname failed and it works fine via nslookup as you mentioned. Pay attention to that the nslookup works fine cannot exclude the possibility
of DNS issue due to the nslookup will take the record from A record but not SRV record. We suggest you post it Windows Server forum if the DNS server has problem.

The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.

Hope that can help you.

Best Regards

Simon

Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

In reference to your first question, all the PCs are getting their proper IPs as designed in the DHCP server.

In reference to question 2:

As you can see I am only running one DC, it runs on the Server 2012 instance on the physical server.

Not shown here are three trivial websites hosted on the IIS server:

- A Network Location "Server" that is just a page with a cert to allow Direct Access clients to verify if they are in the network or not.

- Another certed page to allow IPHTTPS transition technology to find the Direct Access server and verify it from the outside, Direct Access server has port 443 forwarded through the router .

- And one other http page that the Direct Access Connectivity Assistant uses to help verify connectivity within the network.

I just configured the machine I am using to test, it definitely has the newest NIC and WNIC drivers available from the manufacturer.

I am pretty sure that I tried restarting the NLA service a couple of times, forgot to list that above but I'll give it a go one more time before I quit the domain and rejoin to test your theory.

I will take your advice about reposting if it comes up as a DNS issue.

Whatever happens I will repost here to let you know the outcome, thanks for your advice and please let me know if the Network topology diagram helps you think of something else.

One more thing, I have IPV6 enabled throughout my network, including a DHCPv6 on the DHCP server. A funny thing that is happening with that is that it isn't issuing any IPs, maybe that's a hint to someone...

Please first try my suggestions as I mentioned in my last post. After that, since you mentioned you have a DHCP IPv6 server, you could try to disable the IPV6 in the server to test the issue if it doesn't affect your network.

Good luck to fix it.

Best Regards

Simon

Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.